Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

I have a timestamps in the logs, however it is registering the time minute by minute and not event by event, so I am not using timestamps as delimiter. My idea is to consider multiple lines as one event, because of that i am using the command SHOULD_LINEMERGE = true, but my expectation is to have just some lines filtered in the unique event and not all lines. So i would like to know if it is possible to filter merged lines. I tried everything on my side and it is not working. Or all lines are indexed in only one event, or the lines are filtered however having one event for each filtered line.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.